Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

use github token if present when fetching org id #19244

Merged

Conversation

raymonstah
Copy link
Contributor

When running our acceptance tests in other repos, we often hit the rate limit for GitHub's API. See https://github.com/hashicorp/terraform-provider-vault/actions/runs/3767881277/jobs/6405863202#step:5:349 as an example. This change takes in the Github token (if present) when creating the GH client so that we can make authenticated requests, which bumps the rate limit to 5k requests per hour, instead of the 60/hour that we're currently exceeding.

client, err := b.Client("")
var githubToken string
if token, ok := data.GetOk("token"); ok {
if t, ok := token.(string); ok {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should add token to the framework.FieldSchema above in pathConfig(). You can see an example of that here. If we do that then we can safely do the type assertion without this "if ok" pattern. Additionally, we will want to add token to the API docs.

Copy link
Contributor

@fairclothjm fairclothjm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for taking this one on! This adds an interesting situation. Currently we require the token on Login. But if the user has already configured this auth method with a token in the Config step then they might expect to not have to provide a token on Login. I think we should still require it on Login, but I am curious what others think.

@raymonstah raymonstah added this to the 1.14 milestone Feb 17, 2023
@raymonstah
Copy link
Contributor Author

@fairclothjm and I discussed this some more, we decided to keep the login path as-is, requiring the user to specify the token, for cases where the user logging in may not necessarily be the same user who is setting up the GitHub config.

@fairclothjm
Copy link
Contributor

@raymonstah I am thinking it might be better to read an environment variable to get the token for writing the config. Adding the token as a new field on the config might cause confusion since this is just to fix an edge case that we are only aware of in the TFVP tests. The real solution for users is to set the org ID in the config. What do you think?

@raymonstah
Copy link
Contributor Author

@fairclothjm I think that makes much more sense. Thanks for the suggestion.

Copy link
Contributor

@fairclothjm fairclothjm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Copy link
Contributor

@vinay-gopalan vinay-gopalan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Had a quick q: is there a need to call it the VAULT_AUTH_GITHUB_TOKEN if it's never actually being used for authentication? Was curious if this was just because of a precedent or if we can also name this GITHUB_TOKEN to match up w/ what we already have in the TFVP. We can rename the TFVP environment variable as well, just wanted to bring up the question 😄 also tagging @fairclothjm for visibility

@raymonstah
Copy link
Contributor Author

@vinay-gopalan I prefixed it with VAULT_AUTH because I saw that's the way it was done here

token = os.Getenv("VAULT_AUTH_GITHUB_TOKEN")
but open to changing it

@vinay-gopalan
Copy link
Contributor

@vinay-gopalan I prefixed it with VAULT_AUTH because I saw that's the way it was done here

token = os.Getenv("VAULT_AUTH_GITHUB_TOKEN")

but open to changing it

Ah okay, I think that looks good; thanks for confirming @raymonstah!

@fairclothjm
Copy link
Contributor

@raymonstah @vinay-gopalan I missed that VAULT_AUTH_GITHUB_TOKEN is already in use by the login path (only via CLI). I don't see that we have that documented anywhere except in the changelog.

Also, we are using GITHUB_TOKEN in these tests.

I am wondering if we should use something different? Maybe VAULT_AUTH_CONFIG_GITHUB_TOKEN? I don't feel too strongly about this though. I do see value in prefixing with VAULT_* however.

@vinay-gopalan
Copy link
Contributor

@raymonstah @vinay-gopalan I missed that VAULT_AUTH_GITHUB_TOKEN is already in use by the login path (only via CLI). I don't see that we have that documented anywhere except in the changelog.

Also, we are using GITHUB_TOKEN in these tests.

I am wondering if we should use something different? Maybe VAULT_AUTH_CONFIG_GITHUB_TOKEN? I don't feel too strongly about this though. I do see value in prefixing with VAULT_* however.

JM that's a great callout and thanks for going the extra step to confirm the environment variables aren't already being used! I agree with you in that I don't have a strong preference, but I also see the value in adding the prefix since it's a precedent— VAULT_AUTH_CONFIG_GITHUB_TOKEN seems to provide enough info to keep the variable separate only for this use-case so I'm good with that 👍🏼

@raymonstah raymonstah merged commit 77e80a8 into main Feb 21, 2023
@fairclothjm fairclothjm deleted the VAULT-13616-use-github-token-if-present-when-fetching-org-id branch March 17, 2023 20:52
@fairclothjm
Copy link
Contributor

@raymonstah FYI, we are going to backport this to 1.13, .12, and 1.11 so the TFVP tests are happy. Thanks again for this!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants